McAfee Integration Guide - ObserveITfiles.observeit.com/docs/McAfee ESM Integration Guide.pdfMcAfee ESM is a security information and event management (SIEM) solution used to prioritize,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
SUPPORT ...................................................................................................................................................................... 12
This document describes the ObserveIT integration with McAfee Enterprise Security Management (ESM),
McAfee ESM is a security information and event management (SIEM) solution used to prioritize, investigate, and respond to threats.
This integration provides security analysts and security investigation teams with powerful user-activity metadata and smart user behavior alerts.
Prerequisites
The ObserveIT integration is generally available in ESM. If you don’t see the ObserveIT data source available, you will need to update your rule signatures.
• ObserveIT (Minimum supported version: 7.4)
• McAfee ESM (Minimum supported version: 11)
• McAfee SIEM Collector installed alongside ObserveIT Application Server
1. Software agents capture user activity data and send it to the ObserveIT Application server. 2. ObserveIT Application server sends the user activity logs in an ArcSight Common Event Format
(CEF) file to McAfee SEIM Collector. 3. McAfee SIEM Collector forwards the events from the ObserveIT SIEM logs into McAfee ESM.
ObserveIT Configuration
To configure ObserveIT configuration for integration with McAfee:
• Enable the integrated SIEM logs by selecting the logs you want McAfee to ingest. Windows and Unix Activity, Activity Alerts, System Events and Audit logs are supported.
• Enabling the file clean-up process to run every hour. This prevents the log file from becoming too large by deleting the older events and leaving the newer ones.
• Make sure you have a Local Receiver configured in McAfee ESM to receive the events being sent by the SIEM collector.
• Add an ObserveIT Data Source, configured as shown below. Specify the IP Address or Host ID with the location of the ObserveIT application server where the SIEM Log Collector runs.
You can automatically create a case for each alert with High or Critical severity level.
If you have the Advanced Correlation Engine Appliance, you can create a rule to group ObserveIT alerts by user. This will then allow you to correlate multiple alerts for the same user into a single alarm.
• For help configuring McAfee ESM or the McAfee SIEM Collector: Consult McAfee Support.
• For help using or configuring the ObserveIT platform: Contact the ObserveIT support organization. https://www.observeit.com/support/
You can also send an email to [email protected] with questions about this and other ObserveIT integrations. Not a customer yet? Start your Free Trial of ObserveIT today!
Free Trial
Start your free trial with ObserveIT today. Detect and prevent insider threats in minutes. Reduce your risk, speed up investigations, and streamline compliance.
Release notes
Version Date Notes
1.0.0 2018-12-18 • New: o Load ObserveIT logs into McAfee ESM